Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Create a DLP On-Demand Scan for Azure

On-Demand Scans provide DLP protection to objects stored in Azure Blob storage. They evaluate data protection policies against the content in an Azure storage account, and support targeted investigations on data.

On-Demand Scans provide a great deal of flexibility to inspect different aspects of your deployment. For example, you could limit scans to new or updated files.

NOTE: For Azure scans, the first time a scan is run, it uses Full mode. Subsequent scans always use Incremental mode. If new documents in a previously scanned Azure Blob storage are found during the scan, the scan continues as Incremental. For more information about Full and Incremental data scope, see About On-Demand Scans


Azure Charges Due to On-Demand Scans

Because Skyhigh CASB accesses data during a scan, minimal API charges and data transfer charges are incurred per Azure pricing. These costs include:

  • Data Transfer Pricing: $0.01/GB
  • Azure read charges via GET requests: $0.01/25,000 API calls

Learn more about charges here:

NOTE: You can restrict scans to skip larger files to avoid some costs.

Quarantine Behavior in Azure Blobs and Files

The quarantine response action for Azure blobs and files has the following specific behavior: 

  • Objects or Files are quarantined in a new Blob container or File Share as applicable.
  • The new Blob container or File share are created in the same Storage account.

NOTE: The above Quarantine behavior is common for both NRT and ODS DLP or Malware Scan in Azure Blobs and Files.

Create an On-Demand Scan for Azure

To create an On-Demand scan:

  1. Go to Policy > On-Demand Scan.
  2. Click Actions > Create a Scan. The Scan Creation Wizard displays. 
  3. For Scan Type, choose Data Loss Prevention (DLP). If you would like to learn about Malware scans, see Create a Malware Scan.
  4. Enter the Name for the scan, then add an optional Description for the scan.
  5. For Service Instance, choose the Azure instance you want to scan. Click Next
  6. On the Select Policies page, select the available policies that you want to use for your scan type. (Note: Only Active policies are listed here.) Click Next
  7. On the Configure Scan page, configure the scope and users for your scan. 
    • Data:
      • Full. Scans all content every time the scan is run.
      • Incremental. Scan only content that has changed since the last successful scan. 
      • Scan Dates. Select All, to scan all data. Or select Last X Days to limit the scan to the specified time period.


  • Starting with the Skyhigh CASB 5.4.0 release onwards, to align IaaS DLP/Malware scan configurations with the SaaS DLP/Malware scan, per-scan settings options "File Size" and "Restrict File Type(s) to" are not available for the IaaS (Azure, AWS, and GCP) DLP Scans.
  • With this change, all new IaaS DLP/Malware scan honors the global scan settings by default.
  • The existing IaaS DLP/Malware scan honors the per-scan settings for the Skyhigh CASB 5.4.0 release only. If you want to retain the custom settings for specific IaaS scans, contact Skyhigh CASB Support.
  • Storage Accounts: 
    • Type. Choose Scan Blob Containers or choose Scan File Shares, depending on the type of data you would like to scan.
    • For Storage Accounts to Scan, choose one of the following:
      • All Storage Accounts. Scan all storage accounts. 
      • Include Specific Storage Accounts. To include only specific storage accounts, select a Predefined Dictionary, or enter users manually enter in a comma-separated list, or you can use a wildcard (*) in the text box below. 
      • Exclude Specific Storage Accounts. To exclude only specific storage accounts, select a Predefined Dictionary, or enter users manually enter in a comma-separated list, or you can use a wildcard (*) in the text box below. 
  • Subscriptions:
    • All Subscriptions. Scan all subscriptions.
    • Include Specific Subscriptions. To include only specific Azure subscriptions, or specify the users manually in a comma-separated list. 
    • Exclude Specific Subscriptions. To exclude only specific Azure subscriptions, or specify the user manually in a comma-separated list.


  • One or more subscriptions can be scanned. If existing DLP scans are updated to include specific subscriptions, they continue to provide an incremental scan and will not revert to a full scan.
  • If you choose All Subscriptions, then new subscriptions are picked up automatically when they are added. If you chose specific subscriptions in the scan configuration, when new subscriptions are added, you will have to add them manually to the scan.
  1. Click Next
  2. On the Schedule Scan page, select the schedule for your scan to run:
    • None (On-Demand Only). Run the scan once now.
    • Daily. Run the scan once a day. Configure the time and time zone. 
    • Weekly. Run the scan once a week. Configure the day, time, and time zone. 
  3. Click Next
  4. On the Review & Activate page, review your settings for the On-Demand Scan, and click Save.  Or click Back to make changes. 

Once a scan has completed, you can view the results, or rerun the scan again anytime on the Policy > On-Demand Scan page. 

View policy incident violations on the Policy Incidents page. 

  • Was this article helpful?